According to a new report by Der Spiegel, the British signals intelligence spy agency has again employed a “quantum insert” technique as a way to target employees (Google Translate) of two companies that are GRX (Global Roaming Exchange) providers.

The lead author of the story in the German magazine is Laura Poitras, one of the journalists known to have access to the entire trove of documents leaked by former National Security Agency (NSA) contractor Edward Snowden.

GRX is roughly analogous to an IX (Internet Exchange), and it acts as a major exchange for mobile Internet traffic while users roam around the globe. There are only around two dozen such GRX providers globally. This new attack specifically targeted administrators and engineers of Comfone and Mach (which was acquired over the summer by Syniverse), two GRX providers.

Der Spiegel suggests that the Government Communications Headquarters (GCHQ), the British sister agency to the NSA, used spoofed versions of LinkedIn and Slashdot pages to serve malware to targets. This type of attack was also used to target “nine salaried employees” of the Organization of Petroleum Exporting Countries (OPEC), the global oil cartel.

Bruce Schneier, a well-known cryptographer and security expert, explained on his blog last month that “the NSA relies on its secret partnerships with US telecom companies.” Presumably, the GCHQ has a similar arrangement with UK and/or European telcos.

As Schneier wrote:

As part of the Turmoil system, the NSA places secret servers, codenamed Quantum, at key places on the Internet backbone. This placement ensures that they can react faster than other websites can. By exploiting that speed difference, these servers can impersonate a visited website to the target before the legitimate website can respond, thereby tricking the target's browser to visit a Foxacid server.

In the academic literature, these are called "man-in-the-middle" attacks and have been known to the commercial and academic security communities. More specifically, they are examples of "man-on-the-side" attacks.

They are hard for any organization other than the NSA to reliably execute, because they require the attacker to have a privileged position on the Internet backbone and exploit a "race condition" between the NSA server and the legitimate website. This top-secret NSA diagram, made public last month, shows a Quantum server impersonating Google in this type of attack.

Phillippe Langlois, the founder of P1 Security, presented (PDF) on GRX vulnerabilities at a security conference back in 2011.

Senator John McCain, on Snowden

Meanwhile, the German magazine also interviewed Sen. John McCain (R-AZ), asking specifically about Snowden and the spying affair against German Chancellor Angela Merkel.

McCain said that the NSA conducted the spying operation against Merkel "because they could do it. In other words, there were people with enhanced capabilities that have been developed over the last decade or so, and they were sitting around and said 'we can do this,' and so they did it."

He lamented the lack of Congressional oversight and added that Gen. Keith Alexander, the head of the NSA, should be fired.

The Arizona senator dismissed the possibility that Germany and Chancellor Merkel would grant asylum to Snowden: "She would never consider such a thing. We're too good friends."

McCain also said he was convinced that Snowden gave all of his information to Russia, which Snowden has denied.

SPIEGEL: What would be the consequences for Snowden if he were to return to the United States?

McCain: He'd go on trial, but he's not coming back.

SPIEGEL: Even next year when his asylum in Russia expires?

McCain: Never. President Vladimir Putin will grant him asylum indefinitely. The Russians know if they send him back that that's a lesson to other people who might defect. I'm sure that Mr. Snowden has told them everything that he possibly knows.

SPIEGEL: He denies that and says that he did not take the NSA documents to Russia.

McCain: If you believe that Mr. Snowden didn't give the Russians information that he has, then you believe that pigs can fly.

Update Monday 11:35am CT: A spokesperson for Slashdot's parent company, Dice Holdings, told Ars that it only found out about this situation late Sunday.

"To be clear, we have not been asked to cooperate with any government agency related to this matter and have not provided access to Slashdot systems or user information," Jennifer Bewley said by e-mail. "We know of no unauthorized Slashdot code manipulation, or attempts to effect any. We do not approve of this reported activity, and if true, it’s unfortunate that we are yet another in a long line of Internet businesses to suffer this type of intrusion."